and runs a heavily stripped-down version of Linux that lacks systemd and apt.

Ok, that's a plus in my book. Probably Alpine (often used in containers) or something.

Edit: cut the first question into another one, since this one here likely derails into a System discussion.

Apalrd has done some great "popular computer science" videos on the various remote KVM devices that is well worth looking up. One of them specifically goes into the ridiculously sketchy methods that are used to fetch and execute unsigned code in random buckets to handle firmware updates.

But as for the mic? Honestly, if you open up a LOT of consumer devices you are going to find random microphones. Not because they are all secretly spying on you. But because they use "off the shelf" chips and boards that already have those embedded. Especially since microphones and speakers are kind of the same hardware in most cases and we ALL love a good beep.

I 100% agree the software stack shouldn't be on there. But, as the blog post points out, there is a LOT of developmental code and packages in that image that shouldn't be. It is likely just a case of not removing unnecessary packages from the base image.

Because... the entire point of a device like this is that you plug it in somewhere you aren't. MAYBE JetKVM corp can hear me muttering profanity or wondering where I left that USB c splitter when I am trying to assemble it the first time. The rest of the time? It is plugged into the back of a server that I am booting up so that I can install proxmox without having to drag a monitor over. And while you can potentially get some juicy info out of that? It is not at all worth the hassle to set up fake companies and market a fake (moderately high demand in the right circles) device.

To summarize: the device is riddled with security flaws, originally shipped with default passwords, communicates with servers in China, comes preinstalled with hacking tools, and even includes a built-in microphone - fully equipped for recording audio - without clear mention of it in the documentation. Could it get any worse?

I am pretty sure these issues stem from extreme negligence and rushed development rather than malicious intent. However, that doesn’t make them any less concerning.

Slop everywhere. As far as the eye can see.

(though JavaScript JIT must be enabled)

How did they manage this? Is there a JS command to check that?

I disabled JIT/ion in my FF profiles, because js got so complex that it only speeds up the heavy webapps i avoid and has huge security concerns otherwise.

I had several IOT smart plugs that have GPS built in.

why? why would it need to know its exact geographic location?!

after that I created an entire hardware segmented network that's specifically used for IOT and cameras.

last I checked the router/firewall it's on has blocked over 11million requests a month trying to access the outside.

I will never have a "smart" device in my home that's connected to the internet. I'll live like it's the 1930s if I ever have to.

It could probably change the language selector.

If I'm an elite hacker spy who works for the hacker spy division of the Chinese army, am I going to change the system language of the thing I am hacking to Chinese and forget to change it back?